Web application security - the fast guide 1.1 | Page 55
Chapter 3 - Vulnerabilities and threat models
P a g e | 55
AccessComplexity = case AccessComplexity of
high: 0.35
medium: 0.61
low: 0.71
Authentication = case Authentication of
requires multiple instances of authentication: 0.45
requires single instance of authentication: 0.56
requires no authentication: 0.704
ConfImpact = case ConfidentialityImpact of
none: 0.0
partial: 0.275
complete: 0.660
IntegImpact= case IntegrityImpact of
none: 0.0
partial: 0.275
complete: 0.660
AvailImpact= case AvailabilityImpact of
none: 0.0
partial: 0.275
complete: 0.660
To take time effect into consideration we need to use temporal equation that will
use the base score to generate a value ranging between (0-10) the resulted value
should not exceed the base value and be greater than 33% of base value.
TemporalScore=round_to_1_decimal(BaseScore*Exploitability*RemediationLevel*ReportCo
nfidence)
Exploitability = case Exploitability of
unproven:0.85
proof-of-concept:0.9
functional:0.95
high:1.00
not defined:1.00
RemediationLevel = case RemediationLevel of
official-fix:0.87
temporary-fix:0.90
workaround:0.95
unavailable:1.00
not defined:1.00
ReportConfidence = case ReportConfidence ofunconfirmed:0.90
uncorroborated:0.95
confirmed:1.00
not defined:1.00